“As happens with applications I regularly use, I felt the need to understand how Facebook Messenger works,” Imperva security researcher Ron Masas wrote in a blog post.

“I started poking around the Messenger Web application and noticed that iFrame elements were dominating the user interface,” he continued. “The chat box, as well as the contact list, were rendered in iFrames, opening the possibility for a CSFL attack.”

Testing his theory, Masas found that by recording “full state” and “empty state” data, he could remotely determine whether someone has chatted with a specific person or business.

When illustrated as lines (below), you can see a blip in the empty state iFrame count, which signifies zero communication between two users; if contact has been made, the pattern remains steady.

And while the glitch doesn’t allow hackers to retrieve individual conversations, it does, as Masas pointed out, violate users’ privacy.

He reported the vulnerability to Facebook, which has since removed all iFrames from the Messenger interface completely.

“The bug is a browser issue related to how they handle content embedded in webpages, and could affect any site, not just Messenger.com,” a Facebook spokesman told Geek in an email. “We already fixed the issue for Messenger.com last year to safeguard our users and made recommendations to browser makers to prevent this type of issue from happening.”

“Browser-based side-channel attacks are still an overlooked subject,” Masas said. “While big players like Facebook and Google are catching up, most of the industry is still unaware.”

Imperva researchers in November discovered a similar bug that allowed websites to extract data from Facebook user profiles, thanks to a security flaw relating to cross-site frame leakage.

A month later, the social network announced that its internal team found a photo API flaw that could have impacted up to 6.8 million users, and might have allowed third-party apps access to people’s private images.